Maintaining GDPR Compliance in 2019

At the time of writing, it has been almost 6 months since the GDPR deadline passed. If you are reading this, congratulations! You survived. But what is next for the UK?

The GDPR is still in it’s infancy, and with the UK’s future currently uncertain, it can be difficult to imagine how it is going to affect us in 2019 and beyond.

1        ICO Crackdown

Initially, threats of huge fines and terrible consequences were what spurred many of us into action when preparing for the GDPR deadline. Fortunately for most SMEs, there was no mass ICO fining on the 25th of May.

However, the GDPR ‘grace period’ is officially coming to an end. For these first few months large enterprises and technology companies have been the focus of the ICO’s efforts, but soon their attention will shift to a wider array of businesses, of all sizes.

Data breaches notwithstanding, if you have remained stealthily non-compliant past the deadline, your time is running out. Ignoring the GDPR into 2019 is playing with fire and making no progress 6 months after the deadline is unacceptable in the eyes of the ICO.

So, get started now if you haven’t already.

2        Internal Change

For the organisations that have put some effort behind GDPR compliance, don’t relax yet. 2019 is about maintaining and improving your data protection efforts to avoid losing the high standard that you worked for.

Over the next year, there will undoubtedly be some form of change in your organisation. New people? New Technology? New Processes? All of these could create data insecurity if you don’t factor data protection into their implementation.

It’s for this reason that Purple recommends having a Data Protection Officer (DPO) in your organisation to keep track of change, and to check new initiatives against the GDPR. If you lack the resources to employ a full-time DPO, it is worth nominating one of your employees to take on this role (after training them!) or investing in a DPO-as-a-service option.

In the case of new technology, the employee responsible for compliance must understand if/where the tech collects or processes data to add it to their personal data inventory, and more importantly to make sure the technology itself doesn’t break legislation.

New hires also pose a risk, those dealing with customer data need to understand their GDPR responsibilities, so listing this as a job requirement and/or running semi-regular training for employees will begin to mitigate this.

3        Brexit

For those of you that are hoping the Brexit negotiations will free us from the shackles of GDPR compliance, I have some bad news. Despite the GDPR being an EU regulation, The United Kingdom had no small part in its development. In fact, UK lawmakers initially wanted the legislation to be even harsher than it is now.

In the case of any deal, the UK will almost certainly hold on to the principles of the GDPR, after all, the ICO has already been at work enforcing it for over 6 months.

However, there are possible complications if a no-deal Brexit occurs. In this case the UK will become a third country. Like the USA, we will still be obliged to comply to capture/process the data of EU citizens, but our own citizens are another matter entirely. It’s hoped that the ICO will maintain data protection guidelines, but at the time of writing, nothing is certain.

4        E-privacy regulation

Finally, 2019 has a surprise for you! Another piece of data legislation to worry about.

The e-privacy legislation is being launched in 2019, bringing with it some new rules that run parallel to those in the GDPR, adding new rules surrounding cookie consent and emerging technologies such as IoT. This hopefully means the end of web page consent pop ups, suggesting instead that we adjust site cookie permissions in our browser settings.

As of now, e-privacy regulation has no launch date. But it’s coming this year, so inform yourself now to avoid the same last-minute panic that so many faced on the 25th of May last year.

The full breakdown can be read here: https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation